找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2358|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:
1 {/ k/ s+ h8 d6 F( A3 f
$ @/ R" [& K/ P. s% Z: LFCKEditor ASP Version 2.6.8 File Upload Protection Bypass8 `+ o& v# K6 j1 p; K
6 W. h2 e9 t; ~1 Y
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
7 [6 d0 l$ D2 s. q1 o4 R5 Z- Credit goes to: Mostafa Azizi, Soroush Dalili7 z, y2 W2 k) M2 ]: h+ b
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/! _. Z- S# Y. I
- Description:
9 \5 k$ Y8 y' y/ M3 Y+ I- bThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is7 {6 [# h( W: e5 }
dealing with the duplicate files. As a result, it is possible to bypass
4 b+ y) ?9 X6 K6 a, n. O) Y& y" ]the protection and upload a file with any extension.6 L8 l" e. N$ n( k2 @% Z: N1 S
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/+ V* O! F6 ~. A+ M
- Solution: Please check the provided reference or the vendor website.
, W3 ]# w- [, L6 U4 c- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
+ b) @9 s4 g/ @5 S: e"
& U4 C" {8 o2 G3 j; ^Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
# L% {5 B' x2 w9 G. A2 bIn “config.asp”, wherever you have:
" Q+ H9 f& N7 C6 j, `8 U. U: P; T      ConfigAllowedExtensions.Add    “File”,”Extensions Here”& |# O- w0 h* J! F' ?9 \
Change it to:/ T* T9 x" S" H
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”5 U* Y2 v# f0 x/ d% D& P

/ [1 w3 B7 W$ x % K% S6 g+ {$ o% J

: W. B( K3 ^! R2 s9 ?
. k! p$ ?: n; ]% e: }1 l9 r! C4 u5 U2 Z
php测试无效* G, ~! A/ G0 a2 o2 z& l! o
asp/aspx测试成功:3 t" a1 ]! ~: n6 k/ x
来到/FCKeditor/editor/filemanager/connectors/test.html
* U4 U" @! ?% a* r/ V因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
) G$ v9 r' b% D
8 ^4 P% m; G8 a3 {: J4 Eburpsuite上传包并修改,repeater- ]) q9 F$ ^9 R8 H3 U
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
' r7 C  s+ _/ t, m4 r$ }
$ Z+ p" l/ O* e2 c如图,webshell为:http://localhost/userfiles/file/asd(1).asp
/ L2 h/ D) G. ?# r6 q; Z/ B+ U/ F% ~" v: A9 }0 ?0 U2 Y
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表